Install the Device Certificate for a Dedicated Log Collector
Table of Contents
Install the Device Certificate for a Dedicated Log Collector
Install the device certificate on a Dedicated Log Collector to leverage Palo Alto
Networks cloud services.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You must install the device certificate on the Dedicated Log Collector to use Device Telemetry. You only need to install
a device certificate once. The device certificate has a 90-day lifetime. The
Dedicated Log Collector reinstalls the device certificate 15 days before the
certificate expires. In the event the Dedicated Log Collector is unable to reinstall
the device certificate on its own, you may need to manually restore an expired device certificate.
To successfully install the device certificate, the Dedicated Log Collector must have
an outbound internet connection and the following Fully Qualified Domain Names
(FQDN) and ports must be allowed on your network.
You must manually install the device certificate on each Dedicated Log Collector
individually. Installing the device certificate from the Panorama™ management server
is not supported.
FQDN | Ports |
|---|---|
| TCP 80 |
| TCP 443 |
| TCP 444 and TCP 443 |
- Log in to the Dedicated Log Collector CLI as a Superuser.An admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.
- View the current device certificate status on the Dedicated Log Collector.admin>show device-certificate statusThe Dedicated Log Collector displays one of the following responses:
- Device certificate was never installed—No device certificate found
- Device certificate expired—Current device certificate status: ExpiredThe response also displays the lifetime of the previous device certificate and the date and time the last device certificate fetch was attempted.
- Device certificate fetch failed—Response displays the last time the device certificate fetch was attempted.
Generate the One Time Password (OTP).OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.The Dedicated Log Collector may only attempt to retrieve the OTP from the CSP one time. If the Dedicated Log Collector fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.- Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
- Select andGenerate OTP.
- For theDevice Type, selectGenerate OTP for Panoramaand clickNext.
- Select thePanorama Deviceserial number andGenerate OTP.
- Generate OTPand copy the OTP.
An admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.Configure the Network Time Protocol (NTP) server.An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.admin>configureadmin#set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <ip_address>admin#set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <ip_address>admin>commitadmin>exitInstall the device certificate.admin>request certificate fetch otp <otp_value>Verify the device certificate successfully installed.admin>show device-certificate statusA successful device certificate installation displays the following response:Device Certificate information: Current device certificate status: Valid Not valid before: 2022/11/30 15:17:47 PST Not valid after: 2023/02/28 15:17:47 PST Last fetched timestamp: 2022/11/30 15:29:42 PST Last fetched status: success Last fetched info: Successfully fetched Device Certificate
